You may remember that back in November, we released an alert about protecting yourself from the POODLE SSL vulnerability. For those of you who are less familiar with SSL, it refers to a type of encryption that was once used to secure communications between a user’s Web browser and a website in order to protect transmitted data from eavesdropping or tampering.

The Shift4 team is back from National Retail Federation’s (NRF) 104th Annual Convention and EXPO, also known as Retail’s BIG Show. Omni-channel, mobile, and EMV were three of the hottest topics for retailers at the show this year, so we’re discussing each of these issues from a payments perspective because they’ll apply to other industries, too.

While you enjoy all the treasures this season holds,
We hope you'll take a moment to watch as a story unfolds,
About a hacker who tried to spoil Christmas day,
Until merchants using Shift4 got in his way…

The chip cards are coming! We are now just 10 months away from the October 2015 liability shift date for U.S. EMV. That’s the date the card brands set to have all U.S. merchants supporting EMV (Chip card) technology. After that date, whichever organization breaks the “EMV chain” will be held responsible for fraudulent card activity that could have been prevented had they supported EMV.

Update 4/19/17:Shift4’s point-to-point encryption solution, True P2PE, is now PCI validated. We were able to build a unique solution that met the PCI SSC validation requirements without compromising our own high standards for speed, security, and reliability. Because of this, some of the information in this article (which was published in 2014) may not reflect our current stance and policies on the topic.

We told you last month that adding support for Apple Pay™ was going to be quick and easy, and it was. We’re happy to announce that Shift4 now supports Apple Pay contactless (NFC) payments. In fact, a few of our customers have already starting processing Apple Pay transactions.

By Steve Sommers – Senior Vice President of Applications Development, Shift4 CorporationThis piece is part 2 of a series on the differences between fraud and breaches. The first article in the series can be found here.

CardNotPresent.com published an article last week that featured an unusually candid Bob Russo. For those who aren’t familiar with that name, Russo is the recently retired GM of the Payment Card Industry Security Standards Council (PCI SSC). As GM and cheerleader-in-chief, Russo spent most of the last decade trying to get merchants to buy into PCI’s standard and convince us all that PCI compliance was the be-all, end-all.

It seems like we’re hearing about a new major card-data breach on an almost weekly basis. It’s both incredibly frustrating and incredibly sad to see millions of people paying the price for businesses’ failures to adequately secure their data. What’s even more concerning is that it’s happening so often that we’ve heard people say, “Breaches are just part of the cost of doing business these days.”

For years, we’ve been warning merchants about the brand damage that can come as a result of a card data breach, and recently a series of articles and research studies have made it clear just how harmful it can be. If you’re not currently taking full advantage of our suite of security technologies, including both TrueTokenization® and point-to-point encryption (P2PE), here are a few reasons to make the change.

We recently came across an article published by Digital Transactions that discussed “The Furious Battle to Control Tokenization.” The article laid out the politics and power struggles within the payments space and did a good job of explaining the current state of the industry.

In the wake of the major retail breaches late last year, the card brands (and a few of the larger issuing banks) dumped huge amounts of money into PR campaigns that positioned EMV as the solution to our card-data security troubles. Now, those of you who follow our blog closely will remember that we very quickly spoke out and warned that this is not true and that EMV wouldn’t have stopped the recent breaches.

Target, Michael’s, Neiman Marcus, White Lodging, and now P.F. Chang’s. It seems like every month there is a new, major data breach making headlines. In the most recent case, P.F. Chang’s appears to have been compromised for close to nine months, and experts say more than seven million card numbers may have been stolen.

After 20 years in the industry, we’ve noticed that far too many of them seem motivated only by the dollar, and not by any real desire to help the merchants they supposedly serve. For years, we’ve warned our merchant customers about the shady business practices of some merchant services providers (MSPs) and independent sales organizations (ISOs).

As your merchant advocate, we want to take just a moment of your time to let you know about a recent United States Executive Order impacting all U.S. processors. It may have an impact on your business, especially if a high percentage of your clientele uses internationally-issued payment cards.

Shift4 is aware of the “Heartbleed” vulnerability that is being reported by security bloggers and the mainstream media. None of Shift4’s technologies have been affected by the Heartbleed bug. Because we’re your merchant advocates, we have put together the following information to help you protect your personal information from other sites that may have been compromised.

If you were comparing new POS swipe device models, and I explained that one provided zero protection from the type of breach major retailers have recently experienced, while the other provided complete protection from a card data security breach for about
$50 more, which would you choose? Pretty easy choice, right? What you would be purchasing is a P2PE-enabled swipe device. And then I’d congratulate you for taking a much-needed step toward protecting your business and your customers against
a devastating security breach.

We’ve spent much of the last five years warning merchants about companies that claim to offer tokenization when what they really have is nothing more than a weak encryption scheme. We call these solutions “tokenization in name only,” or TINO for short, and they annoy us to no end. But we’re happy to announce that something is finally being done about them.